Analysis
-
max time kernel
51s -
max time network
55s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 23:26
Static task
static1
Behavioral task
behavioral1
Sample
8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exe
-
Size
125KB
-
MD5
8ffd95ba1a23c480cc987293ab4245b0
-
SHA1
eed1142346e45bd348fbca65e2df07752cca87b4
-
SHA256
78d7c51c37fbb72030ff2c699cf4df21ef7833c1ebb7848fd1e0880e8bf225c8
-
SHA512
77d356012889faaa6ecf8a62b2d23be7c081ca4c4ed8748b165fbc741ede356676595993a8e06c321d43db3587258659c39672437184fc6fa628c181c4f88849
-
SSDEEP
3072:I/H3aPFCgAoLP2uoc31WdTCn93OGey/ZhJakrPF:cHKPSSCcITCndOGeKTaG
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ekjfcipa.exeFafkecel.exeLbabgh32.exeNcdgcf32.exeOcnjidkf.exeHflcbngh.exeKedoge32.exePqbdjfln.exeBanllbdn.exeHioiji32.exeAjhddjfn.exeAepefb32.exeBagflcje.exeBfkedibe.exeCjkjpgfi.exeJfeopj32.exePcppfaka.exeAgjhgngj.exeDfnjafap.exeGododflk.exeIihkpg32.exeKfoafi32.exeAjckij32.exeCnkplejl.exeLlgjjnlj.exeOlfobjbg.exeAmpkof32.exeCndikf32.exe8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exeFhjfhl32.exeGbiaapdf.exeLiddbc32.exePfjcgn32.exeMdjagjco.exeOlhlhjpd.exePfolbmje.exeEdnaqo32.exeJmhale32.exeMlampmdo.exeBnbmefbg.exeCeckcp32.exeDmefhako.exeCfpnph32.exeChagok32.exeDhpjkojk.exeHkkhqd32.exeKdqejn32.exeKdcbom32.exeAeniabfd.exeNnqbanmo.exeHbgmcnhf.exeQgcbgo32.exeDfknkg32.exeCfbkeh32.exeDddhpjof.exeChpada32.exeFkffog32.exeJcefno32.exeQqfmde32.exeQgqeappe.exeBchomn32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekjfcipa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fafkecel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbabgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncdgcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocnjidkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hflcbngh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kedoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqbdjfln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banllbdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hioiji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhddjfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aepefb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagflcje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkedibe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjkjpgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfeopj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcppfaka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agjhgngj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gododflk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hflcbngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iihkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfoafi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajckij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkplejl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llgjjnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olfobjbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampkof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhjfhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbiaapdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liddbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfjcgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqbdjfln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdjagjco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olhlhjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfolbmje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednaqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmhale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlampmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnbmefbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceckcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmefhako.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpnph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhpjkojk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjfcipa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkhqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdqejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdcbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeniabfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnqbanmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbgmcnhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgcbgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfknkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbkeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddhpjof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chpada32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkffog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcefno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqfmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgqeappe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchomn32.exe -
Executes dropped EXE 64 IoCs
Processes:
Baaplhef.exeBhkhibmc.exeBkidenlg.exeCbqlfkmi.exeCdainc32.exeCbcilkjg.exeChpada32.exeCojjqlpk.exeCdfbibnb.exeColffknh.exeCefoce32.exeClpgpp32.exeCamphf32.exeChghdqbf.exeDoqpak32.exeDekhneap.exeDdpeoafg.exeDeoaid32.exeDafbne32.exeDhpjkojk.exeDahode32.exeDdgkpp32.exeEchknh32.exeEhedfo32.exeEcjhcg32.exeEdkdkplj.exeEoaihhlp.exeEdnaqo32.exeEkhjmiad.exeEcoangbg.exeEkjfcipa.exeEepjpb32.exeFkmchi32.exeFafkecel.exeFhqcam32.exeFkopnh32.exeFfddka32.exeFkalchij.exeFakdpb32.exeFhemmlhc.exeFckajehi.exeFdlnbm32.exeFkffog32.exeFfkjlp32.exeFhjfhl32.exeGododflk.exeGdqgmmjb.exeGofkje32.exeGbdgfa32.exeGmjlcj32.exeGcddpdpo.exeGfbploob.exeGokdeeec.exeGbiaapdf.exeGmoeoidl.exeGomakdcp.exeHiefcj32.exeHopnqdan.exeHfifmnij.exeHihbijhn.exeHkfoeega.exeHcmgfbhd.exeHflcbngh.exeHeocnk32.exepid process 2880 Baaplhef.exe 3232 Bhkhibmc.exe 3160 Bkidenlg.exe 4472 Cbqlfkmi.exe 1620 Cdainc32.exe 4920 Cbcilkjg.exe 4828 Chpada32.exe 4056 Cojjqlpk.exe 4924 Cdfbibnb.exe 2052 Colffknh.exe 4284 Cefoce32.exe 1664 Clpgpp32.exe 5072 Camphf32.exe 1996 Chghdqbf.exe 3944 Doqpak32.exe 3184 Dekhneap.exe 2260 Ddpeoafg.exe 4408 Deoaid32.exe 3676 Dafbne32.exe 1396 Dhpjkojk.exe 4848 Dahode32.exe 2452 Ddgkpp32.exe 1360 Echknh32.exe 2652 Ehedfo32.exe 1104 Ecjhcg32.exe 1208 Edkdkplj.exe 4976 Eoaihhlp.exe 604 Ednaqo32.exe 3312 Ekhjmiad.exe 4264 Ecoangbg.exe 1300 Ekjfcipa.exe 4116 Eepjpb32.exe 1096 Fkmchi32.exe 2504 Fafkecel.exe 5060 Fhqcam32.exe 1036 Fkopnh32.exe 752 Ffddka32.exe 4596 Fkalchij.exe 1116 Fakdpb32.exe 1912 Fhemmlhc.exe 4376 Fckajehi.exe 1636 Fdlnbm32.exe 2532 Fkffog32.exe 2892 Ffkjlp32.exe 2520 Fhjfhl32.exe 3344 Gododflk.exe 3904 Gdqgmmjb.exe 4120 Gofkje32.exe 4876 Gbdgfa32.exe 2688 Gmjlcj32.exe 4356 Gcddpdpo.exe 4832 Gfbploob.exe 3288 Gokdeeec.exe 3808 Gbiaapdf.exe 5064 Gmoeoidl.exe 4072 Gomakdcp.exe 2072 Hiefcj32.exe 2668 Hopnqdan.exe 2280 Hfifmnij.exe 1252 Hihbijhn.exe 3832 Hkfoeega.exe 4852 Hcmgfbhd.exe 724 Hflcbngh.exe 1940 Heocnk32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hbgmcnhf.exeIfefimom.exeIpbdmaah.exeKedoge32.exeLiddbc32.exeLbdolh32.exeDoqpak32.exeHkmefd32.exeNilcjp32.exeBmngqdpj.exeKpbmco32.exeBfdodjhm.exeCndikf32.exeDahode32.exeJlnnmb32.exeHmhhehlb.exeIihkpg32.exeLgmngglp.exeGbdgfa32.exeHfnphn32.exeImfdff32.exeNgmgne32.exeOcbddc32.exeQddfkd32.exeCfbkeh32.exeDfnjafap.exeCbcilkjg.exeDdgkpp32.exeEcoangbg.exeHioiji32.exeKmdqgd32.exeDeoaid32.exeEhedfo32.exeGododflk.exeAmpkof32.exeJfoiokfb.exeNpcoakfp.exePjcbbmif.exeAgglboim.exeFkmchi32.exeGomakdcp.exeGmoeoidl.exeIldkgc32.exeKfjhkjle.exeMmbfpp32.exeNgpccdlj.exeEkhjmiad.exeFhjfhl32.exeBgehcmmm.exeNfjjppmm.exeOjoign32.exeBanllbdn.exeEdnaqo32.exeHbeqmoji.exeJfhlejnh.exeOgpmjb32.exeJfeopj32.exeMenjdbgj.exeOjjolnaq.exeCojjqlpk.exeGcddpdpo.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Ifefimom.exe Hbgmcnhf.exe File created C:\Windows\SysWOW64\Imoneg32.exe Ifefimom.exe File opened for modification C:\Windows\SysWOW64\Iikhfg32.exe Ipbdmaah.exe File created C:\Windows\SysWOW64\Canidb32.dll Kedoge32.exe File created C:\Windows\SysWOW64\Llcpoo32.exe Liddbc32.exe File opened for modification C:\Windows\SysWOW64\Lebkhc32.exe Lbdolh32.exe File opened for modification C:\Windows\SysWOW64\Dekhneap.exe Doqpak32.exe File opened for modification C:\Windows\SysWOW64\Hbgmcnhf.exe Hkmefd32.exe File created C:\Windows\SysWOW64\Nljofl32.exe Nilcjp32.exe File opened for modification C:\Windows\SysWOW64\Baicac32.exe Bmngqdpj.exe File created C:\Windows\SysWOW64\Fbnkjc32.dll Kpbmco32.exe File created C:\Windows\SysWOW64\Bmngqdpj.exe Bfdodjhm.exe File created C:\Windows\SysWOW64\Cmgjgcgo.exe Cndikf32.exe File created C:\Windows\SysWOW64\Neiigifj.dll Dahode32.exe File created C:\Windows\SysWOW64\Jcefno32.exe Jlnnmb32.exe File opened for modification C:\Windows\SysWOW64\Hkkhqd32.exe Hmhhehlb.exe File opened for modification C:\Windows\SysWOW64\Ipbdmaah.exe Iihkpg32.exe File created C:\Windows\SysWOW64\Jcjpfk32.dll Lgmngglp.exe File created C:\Windows\SysWOW64\Gmjlcj32.exe Gbdgfa32.exe File created C:\Windows\SysWOW64\Hmhhehlb.exe Hfnphn32.exe File created C:\Windows\SysWOW64\Flakmgga.dll Imfdff32.exe File created C:\Windows\SysWOW64\Nilcjp32.exe Ngmgne32.exe File opened for modification C:\Windows\SysWOW64\Ofqpqo32.exe Ocbddc32.exe File opened for modification C:\Windows\SysWOW64\Qgcbgo32.exe Qddfkd32.exe File created C:\Windows\SysWOW64\Cmlcbbcj.exe Cfbkeh32.exe File created C:\Windows\SysWOW64\Daconoae.exe Dfnjafap.exe File created C:\Windows\SysWOW64\Chpada32.exe Cbcilkjg.exe File opened for modification C:\Windows\SysWOW64\Echknh32.exe Ddgkpp32.exe File opened for modification C:\Windows\SysWOW64\Ekjfcipa.exe Ecoangbg.exe File opened for modification C:\Windows\SysWOW64\Hkmefd32.exe Hioiji32.exe File opened for modification C:\Windows\SysWOW64\Kpbmco32.exe Kmdqgd32.exe File created C:\Windows\SysWOW64\Jffldcca.dll Deoaid32.exe File created C:\Windows\SysWOW64\Igoedk32.dll Ehedfo32.exe File created C:\Windows\SysWOW64\Gdqgmmjb.exe Gododflk.exe File created C:\Windows\SysWOW64\Ageolo32.exe Ampkof32.exe File opened for modification C:\Windows\SysWOW64\Jmhale32.exe Jfoiokfb.exe File created C:\Windows\SysWOW64\Agocgbni.dll Npcoakfp.exe File created C:\Windows\SysWOW64\Pmannhhj.exe Pjcbbmif.exe File created C:\Windows\SysWOW64\Agjhgngj.exe Agglboim.exe File created C:\Windows\SysWOW64\Kdihjfbe.dll Fkmchi32.exe File opened for modification C:\Windows\SysWOW64\Hiefcj32.exe Gomakdcp.exe File created C:\Windows\SysWOW64\Ainpbi32.dll Gmoeoidl.exe File created C:\Windows\SysWOW64\Laapnj32.dll Ildkgc32.exe File created C:\Windows\SysWOW64\Eifbkgjd.dll Jfoiokfb.exe File opened for modification C:\Windows\SysWOW64\Kmdqgd32.exe Kfjhkjle.exe File created C:\Windows\SysWOW64\Mpablkhc.exe Mmbfpp32.exe File created C:\Windows\SysWOW64\Goaojagc.dll Ngpccdlj.exe File opened for modification C:\Windows\SysWOW64\Ecoangbg.exe Ekhjmiad.exe File opened for modification C:\Windows\SysWOW64\Gododflk.exe Fhjfhl32.exe File created C:\Windows\SysWOW64\Hhqeiena.dll Bgehcmmm.exe File created C:\Windows\SysWOW64\Gnpllc32.dll Nfjjppmm.exe File created C:\Windows\SysWOW64\Jfpbkoql.dll Ojoign32.exe File created C:\Windows\SysWOW64\Jjlogcip.dll Banllbdn.exe File opened for modification C:\Windows\SysWOW64\Ekhjmiad.exe Ednaqo32.exe File created C:\Windows\SysWOW64\Fpeohm32.dll Hbeqmoji.exe File created C:\Windows\SysWOW64\Kboljk32.exe Jfhlejnh.exe File created C:\Windows\SysWOW64\Ofqpqo32.exe Ocbddc32.exe File opened for modification C:\Windows\SysWOW64\Ojoign32.exe Ogpmjb32.exe File opened for modification C:\Windows\SysWOW64\Hioiji32.exe Hbeqmoji.exe File opened for modification C:\Windows\SysWOW64\Jpnchp32.exe Jfeopj32.exe File created C:\Windows\SysWOW64\Lemphdgj.dll Menjdbgj.exe File opened for modification C:\Windows\SysWOW64\Olhlhjpd.exe Ojjolnaq.exe File opened for modification C:\Windows\SysWOW64\Cdfbibnb.exe Cojjqlpk.exe File created C:\Windows\SysWOW64\Bkomqm32.dll Gcddpdpo.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 6512 6436 WerFault.exe Dmllipeg.exe -
Modifies registry class 64 IoCs
Processes:
Qjoankoi.exeCdfbibnb.exeJfhlejnh.exeLbjlfi32.exeOcnjidkf.exeCnkplejl.exeColffknh.exePqpgdfnp.exeQgcbgo32.exeAgglboim.exeKlljnp32.exeNilcjp32.exeNcianepl.exeOnhhamgg.exePfjcgn32.exePmfhig32.exeDekhneap.exeIikhfg32.exeNnqbanmo.exePjcbbmif.exeNcfdie32.exeBnmcjg32.exeDfnjafap.exeDmjocp32.exeChpada32.exeEoaihhlp.exeOjoign32.exeGododflk.exeJfoiokfb.exeMelnob32.exePqknig32.exeAmpkof32.exeAepefb32.exeBkidenlg.exeHeocnk32.exeLmdina32.exeNlaegk32.exeOfqpqo32.exeChghdqbf.exeEkhjmiad.exeKfoafi32.exeKdcbom32.exeChagok32.exeDhpjkojk.exeLbmhlihl.exeMlampmdo.exeOlhlhjpd.exeMenjdbgj.exeOcbddc32.exePfolbmje.exeFhqcam32.exeGokdeeec.exeKlqcioba.exeLlgjjnlj.exeKmkfhc32.exeQqfmde32.exeDaconoae.exeDdpeoafg.exeFafkecel.exeJedeph32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll" Qjoankoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdfbibnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfhlejnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbjlfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocnjidkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnkplejl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Colffknh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll" Pqpgdfnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agglboim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnjpohk.dll" Klljnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nilcjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncianepl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onhhamgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfjcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmfhig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dekhneap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nabqkgan.dll" Iikhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnqbanmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjcbbmif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll" Ncfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll" Bnmcjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll" Dfnjafap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chpada32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocqqdjh.dll" Dekhneap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eoaihhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojoign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhilj32.dll" Gododflk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfoiokfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmijnn32.dll" Melnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqknig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll" Ampkof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll" Aepefb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcpopjlq.dll" Bkidenlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dammlf32.dll" Heocnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgbkil.dll" Lmdina32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll" Nlaegk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofqpqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chghdqbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekhjmiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfoafi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdcbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll" Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmhi32.dll" Dhpjkojk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbmhlihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlampmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll" Olhlhjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemphdgj.dll" Menjdbgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocbddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfolbmje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhqcam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gokdeeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkfmkdc.dll" Klqcioba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llgjjnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjecajf.dll" Kmkfhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll" Qqfmde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Daconoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddpeoafg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fafkecel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaheeaan.dll" Jedeph32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exeBaaplhef.exeBhkhibmc.exeBkidenlg.exeCbqlfkmi.exeCdainc32.exeCbcilkjg.exeChpada32.exeCojjqlpk.exeCdfbibnb.exeColffknh.exeCefoce32.exeClpgpp32.exeCamphf32.exeChghdqbf.exeDoqpak32.exeDekhneap.exeDdpeoafg.exeDeoaid32.exeDafbne32.exeDhpjkojk.exeDahode32.exedescription pid process target process PID 2740 wrote to memory of 2880 2740 8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exe Baaplhef.exe PID 2740 wrote to memory of 2880 2740 8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exe Baaplhef.exe PID 2740 wrote to memory of 2880 2740 8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exe Baaplhef.exe PID 2880 wrote to memory of 3232 2880 Baaplhef.exe Bhkhibmc.exe PID 2880 wrote to memory of 3232 2880 Baaplhef.exe Bhkhibmc.exe PID 2880 wrote to memory of 3232 2880 Baaplhef.exe Bhkhibmc.exe PID 3232 wrote to memory of 3160 3232 Bhkhibmc.exe Bkidenlg.exe PID 3232 wrote to memory of 3160 3232 Bhkhibmc.exe Bkidenlg.exe PID 3232 wrote to memory of 3160 3232 Bhkhibmc.exe Bkidenlg.exe PID 3160 wrote to memory of 4472 3160 Bkidenlg.exe Cbqlfkmi.exe PID 3160 wrote to memory of 4472 3160 Bkidenlg.exe Cbqlfkmi.exe PID 3160 wrote to memory of 4472 3160 Bkidenlg.exe Cbqlfkmi.exe PID 4472 wrote to memory of 1620 4472 Cbqlfkmi.exe Cdainc32.exe PID 4472 wrote to memory of 1620 4472 Cbqlfkmi.exe Cdainc32.exe PID 4472 wrote to memory of 1620 4472 Cbqlfkmi.exe Cdainc32.exe PID 1620 wrote to memory of 4920 1620 Cdainc32.exe Cbcilkjg.exe PID 1620 wrote to memory of 4920 1620 Cdainc32.exe Cbcilkjg.exe PID 1620 wrote to memory of 4920 1620 Cdainc32.exe Cbcilkjg.exe PID 4920 wrote to memory of 4828 4920 Cbcilkjg.exe Chpada32.exe PID 4920 wrote to memory of 4828 4920 Cbcilkjg.exe Chpada32.exe PID 4920 wrote to memory of 4828 4920 Cbcilkjg.exe Chpada32.exe PID 4828 wrote to memory of 4056 4828 Chpada32.exe Cojjqlpk.exe PID 4828 wrote to memory of 4056 4828 Chpada32.exe Cojjqlpk.exe PID 4828 wrote to memory of 4056 4828 Chpada32.exe Cojjqlpk.exe PID 4056 wrote to memory of 4924 4056 Cojjqlpk.exe Cdfbibnb.exe PID 4056 wrote to memory of 4924 4056 Cojjqlpk.exe Cdfbibnb.exe PID 4056 wrote to memory of 4924 4056 Cojjqlpk.exe Cdfbibnb.exe PID 4924 wrote to memory of 2052 4924 Cdfbibnb.exe Colffknh.exe PID 4924 wrote to memory of 2052 4924 Cdfbibnb.exe Colffknh.exe PID 4924 wrote to memory of 2052 4924 Cdfbibnb.exe Colffknh.exe PID 2052 wrote to memory of 4284 2052 Colffknh.exe Cefoce32.exe PID 2052 wrote to memory of 4284 2052 Colffknh.exe Cefoce32.exe PID 2052 wrote to memory of 4284 2052 Colffknh.exe Cefoce32.exe PID 4284 wrote to memory of 1664 4284 Cefoce32.exe Clpgpp32.exe PID 4284 wrote to memory of 1664 4284 Cefoce32.exe Clpgpp32.exe PID 4284 wrote to memory of 1664 4284 Cefoce32.exe Clpgpp32.exe PID 1664 wrote to memory of 5072 1664 Clpgpp32.exe Camphf32.exe PID 1664 wrote to memory of 5072 1664 Clpgpp32.exe Camphf32.exe PID 1664 wrote to memory of 5072 1664 Clpgpp32.exe Camphf32.exe PID 5072 wrote to memory of 1996 5072 Camphf32.exe Chghdqbf.exe PID 5072 wrote to memory of 1996 5072 Camphf32.exe Chghdqbf.exe PID 5072 wrote to memory of 1996 5072 Camphf32.exe Chghdqbf.exe PID 1996 wrote to memory of 3944 1996 Chghdqbf.exe Doqpak32.exe PID 1996 wrote to memory of 3944 1996 Chghdqbf.exe Doqpak32.exe PID 1996 wrote to memory of 3944 1996 Chghdqbf.exe Doqpak32.exe PID 3944 wrote to memory of 3184 3944 Doqpak32.exe Dekhneap.exe PID 3944 wrote to memory of 3184 3944 Doqpak32.exe Dekhneap.exe PID 3944 wrote to memory of 3184 3944 Doqpak32.exe Dekhneap.exe PID 3184 wrote to memory of 2260 3184 Dekhneap.exe Ddpeoafg.exe PID 3184 wrote to memory of 2260 3184 Dekhneap.exe Ddpeoafg.exe PID 3184 wrote to memory of 2260 3184 Dekhneap.exe Ddpeoafg.exe PID 2260 wrote to memory of 4408 2260 Ddpeoafg.exe Deoaid32.exe PID 2260 wrote to memory of 4408 2260 Ddpeoafg.exe Deoaid32.exe PID 2260 wrote to memory of 4408 2260 Ddpeoafg.exe Deoaid32.exe PID 4408 wrote to memory of 3676 4408 Deoaid32.exe Dafbne32.exe PID 4408 wrote to memory of 3676 4408 Deoaid32.exe Dafbne32.exe PID 4408 wrote to memory of 3676 4408 Deoaid32.exe Dafbne32.exe PID 3676 wrote to memory of 1396 3676 Dafbne32.exe Dhpjkojk.exe PID 3676 wrote to memory of 1396 3676 Dafbne32.exe Dhpjkojk.exe PID 3676 wrote to memory of 1396 3676 Dafbne32.exe Dhpjkojk.exe PID 1396 wrote to memory of 4848 1396 Dhpjkojk.exe Dahode32.exe PID 1396 wrote to memory of 4848 1396 Dhpjkojk.exe Dahode32.exe PID 1396 wrote to memory of 4848 1396 Dhpjkojk.exe Dahode32.exe PID 4848 wrote to memory of 2452 4848 Dahode32.exe Ddgkpp32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Dahode32.exeC:\Windows\system32\Dahode32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe24⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe26⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe27⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4976 -
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:604 -
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3312 -
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4264 -
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe33⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Fkmchi32.exeC:\Windows\system32\Fkmchi32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:5060 -
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe37⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe38⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe39⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe40⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe41⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe42⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Fdlnbm32.exeC:\Windows\system32\Fdlnbm32.exe43⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe45⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3344 -
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe48⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe49⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4876 -
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe51⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4356 -
C:\Windows\SysWOW64\Gfbploob.exeC:\Windows\system32\Gfbploob.exe53⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:3288 -
C:\Windows\SysWOW64\Gbiaapdf.exeC:\Windows\system32\Gbiaapdf.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5064 -
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4072 -
C:\Windows\SysWOW64\Hiefcj32.exeC:\Windows\system32\Hiefcj32.exe58⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe59⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe60⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe61⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe62⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe63⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Hkikkeeo.exeC:\Windows\system32\Hkikkeeo.exe66⤵PID:3608
-
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe67⤵
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe68⤵
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4260 -
C:\Windows\SysWOW64\Hbeqmoji.exeC:\Windows\system32\Hbeqmoji.exe70⤵
- Drops file in System32 directory
PID:3384 -
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe72⤵
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:396 -
C:\Windows\SysWOW64\Ifefimom.exeC:\Windows\system32\Ifefimom.exe74⤵
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe75⤵PID:4364
-
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe76⤵
- Drops file in System32 directory
PID:224 -
C:\Windows\SysWOW64\Ifjodl32.exeC:\Windows\system32\Ifjodl32.exe77⤵PID:2732
-
C:\Windows\SysWOW64\Iihkpg32.exeC:\Windows\system32\Iihkpg32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1136 -
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe79⤵
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe80⤵
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe81⤵
- Drops file in System32 directory
PID:3728 -
C:\Windows\SysWOW64\Jfoiokfb.exeC:\Windows\system32\Jfoiokfb.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:3748 -
C:\Windows\SysWOW64\Jmhale32.exeC:\Windows\system32\Jmhale32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5100 -
C:\Windows\SysWOW64\Jedeph32.exeC:\Windows\system32\Jedeph32.exe84⤵
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe85⤵
- Drops file in System32 directory
PID:4868 -
C:\Windows\SysWOW64\Jcefno32.exeC:\Windows\system32\Jcefno32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4004 -
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe87⤵PID:4660
-
C:\Windows\SysWOW64\Jplfcpin.exeC:\Windows\system32\Jplfcpin.exe88⤵PID:3052
-
C:\Windows\SysWOW64\Jfeopj32.exeC:\Windows\system32\Jfeopj32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4844 -
C:\Windows\SysWOW64\Jpnchp32.exeC:\Windows\system32\Jpnchp32.exe90⤵PID:2644
-
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe92⤵PID:1708
-
C:\Windows\SysWOW64\Kfjhkjle.exeC:\Windows\system32\Kfjhkjle.exe93⤵
- Drops file in System32 directory
PID:5044 -
C:\Windows\SysWOW64\Kmdqgd32.exeC:\Windows\system32\Kmdqgd32.exe94⤵
- Drops file in System32 directory
PID:4484 -
C:\Windows\SysWOW64\Kpbmco32.exeC:\Windows\system32\Kpbmco32.exe95⤵
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Kikame32.exeC:\Windows\system32\Kikame32.exe96⤵PID:4908
-
C:\Windows\SysWOW64\Klimip32.exeC:\Windows\system32\Klimip32.exe97⤵PID:2060
-
C:\Windows\SysWOW64\Kdqejn32.exeC:\Windows\system32\Kdqejn32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5076 -
C:\Windows\SysWOW64\Kfoafi32.exeC:\Windows\system32\Kfoafi32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3988 -
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe100⤵
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Kdcbom32.exeC:\Windows\system32\Kdcbom32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3336 -
C:\Windows\SysWOW64\Kedoge32.exeC:\Windows\system32\Kedoge32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3644 -
C:\Windows\SysWOW64\Kmkfhc32.exeC:\Windows\system32\Kmkfhc32.exe103⤵
- Modifies registry class
PID:4332 -
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe104⤵PID:5008
-
C:\Windows\SysWOW64\Kfckahdj.exeC:\Windows\system32\Kfckahdj.exe105⤵PID:3452
-
C:\Windows\SysWOW64\Kmncnb32.exeC:\Windows\system32\Kmncnb32.exe106⤵PID:1612
-
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe107⤵
- Modifies registry class
PID:4100 -
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe108⤵
- Modifies registry class
PID:4856 -
C:\Windows\SysWOW64\Liddbc32.exeC:\Windows\system32\Liddbc32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4440 -
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe110⤵PID:4768
-
C:\Windows\SysWOW64\Lbmhlihl.exeC:\Windows\system32\Lbmhlihl.exe111⤵
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe112⤵PID:2496
-
C:\Windows\SysWOW64\Lpqiemge.exeC:\Windows\system32\Lpqiemge.exe113⤵PID:1008
-
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe114⤵PID:1508
-
C:\Windows\SysWOW64\Lmdina32.exeC:\Windows\system32\Lmdina32.exe115⤵
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Llgjjnlj.exeC:\Windows\system32\Llgjjnlj.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Lbabgh32.exeC:\Windows\system32\Lbabgh32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1964 -
C:\Windows\SysWOW64\Lgmngglp.exeC:\Windows\system32\Lgmngglp.exe118⤵
- Drops file in System32 directory
PID:732 -
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe119⤵PID:4460
-
C:\Windows\SysWOW64\Lbdolh32.exeC:\Windows\system32\Lbdolh32.exe120⤵
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Lebkhc32.exeC:\Windows\system32\Lebkhc32.exe121⤵PID:2268
-
C:\Windows\SysWOW64\Lllcen32.exeC:\Windows\system32\Lllcen32.exe122⤵PID:4564
-
C:\Windows\SysWOW64\Mdckfk32.exeC:\Windows\system32\Mdckfk32.exe123⤵PID:5148
-
C:\Windows\SysWOW64\Medgncoe.exeC:\Windows\system32\Medgncoe.exe124⤵PID:5188
-
C:\Windows\SysWOW64\Mmlpoqpg.exeC:\Windows\system32\Mmlpoqpg.exe125⤵PID:5236
-
C:\Windows\SysWOW64\Mchhggno.exeC:\Windows\system32\Mchhggno.exe126⤵PID:5280
-
C:\Windows\SysWOW64\Megdccmb.exeC:\Windows\system32\Megdccmb.exe127⤵PID:5320
-
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5368 -
C:\Windows\SysWOW64\Mdhdajea.exeC:\Windows\system32\Mdhdajea.exe129⤵PID:5412
-
C:\Windows\SysWOW64\Meiaib32.exeC:\Windows\system32\Meiaib32.exe130⤵PID:5456
-
C:\Windows\SysWOW64\Mlcifmbl.exeC:\Windows\system32\Mlcifmbl.exe131⤵PID:5500
-
C:\Windows\SysWOW64\Mdjagjco.exeC:\Windows\system32\Mdjagjco.exe132⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5544 -
C:\Windows\SysWOW64\Melnob32.exeC:\Windows\system32\Melnob32.exe133⤵
- Modifies registry class
PID:5588 -
C:\Windows\SysWOW64\Mmbfpp32.exeC:\Windows\system32\Mmbfpp32.exe134⤵
- Drops file in System32 directory
PID:5632 -
C:\Windows\SysWOW64\Mpablkhc.exeC:\Windows\system32\Mpablkhc.exe135⤵PID:5672
-
C:\Windows\SysWOW64\Menjdbgj.exeC:\Windows\system32\Menjdbgj.exe136⤵
- Drops file in System32 directory
- Modifies registry class
PID:5716 -
C:\Windows\SysWOW64\Mnebeogl.exeC:\Windows\system32\Mnebeogl.exe137⤵PID:5756
-
C:\Windows\SysWOW64\Npcoakfp.exeC:\Windows\system32\Npcoakfp.exe138⤵
- Drops file in System32 directory
PID:5796 -
C:\Windows\SysWOW64\Ngmgne32.exeC:\Windows\system32\Ngmgne32.exe139⤵
- Drops file in System32 directory
PID:5848 -
C:\Windows\SysWOW64\Nilcjp32.exeC:\Windows\system32\Nilcjp32.exe140⤵
- Drops file in System32 directory
- Modifies registry class
PID:5888 -
C:\Windows\SysWOW64\Nljofl32.exeC:\Windows\system32\Nljofl32.exe141⤵PID:5932
-
C:\Windows\SysWOW64\Ncdgcf32.exeC:\Windows\system32\Ncdgcf32.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5976 -
C:\Windows\SysWOW64\Ngpccdlj.exeC:\Windows\system32\Ngpccdlj.exe143⤵
- Drops file in System32 directory
PID:6020 -
C:\Windows\SysWOW64\Ndcdmikd.exeC:\Windows\system32\Ndcdmikd.exe144⤵PID:6068
-
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe145⤵
- Modifies registry class
PID:6104 -
C:\Windows\SysWOW64\Neeqea32.exeC:\Windows\system32\Neeqea32.exe146⤵PID:4812
-
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe147⤵PID:5200
-
C:\Windows\SysWOW64\Ncianepl.exeC:\Windows\system32\Ncianepl.exe148⤵
- Modifies registry class
PID:5264 -
C:\Windows\SysWOW64\Njciko32.exeC:\Windows\system32\Njciko32.exe149⤵PID:5328
-
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe150⤵
- Modifies registry class
PID:5396 -
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe151⤵PID:5472
-
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe152⤵
- Drops file in System32 directory
PID:5540 -
C:\Windows\SysWOW64\Nnqbanmo.exeC:\Windows\system32\Nnqbanmo.exe153⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5600 -
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe154⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5680 -
C:\Windows\SysWOW64\Oflgep32.exeC:\Windows\system32\Oflgep32.exe155⤵PID:5740
-
C:\Windows\SysWOW64\Olfobjbg.exeC:\Windows\system32\Olfobjbg.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5812 -
C:\Windows\SysWOW64\Ocpgod32.exeC:\Windows\system32\Ocpgod32.exe157⤵PID:5872
-
C:\Windows\SysWOW64\Ojjolnaq.exeC:\Windows\system32\Ojjolnaq.exe158⤵
- Drops file in System32 directory
PID:5944 -
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe159⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6016 -
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe160⤵
- Drops file in System32 directory
- Modifies registry class
PID:6076 -
C:\Windows\SysWOW64\Ofqpqo32.exeC:\Windows\system32\Ofqpqo32.exe161⤵
- Modifies registry class
PID:6136 -
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe162⤵
- Modifies registry class
PID:5228 -
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe163⤵
- Drops file in System32 directory
PID:5344 -
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe164⤵
- Drops file in System32 directory
- Modifies registry class
PID:5436 -
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe165⤵PID:5508
-
C:\Windows\SysWOW64\Pnlaml32.exeC:\Windows\system32\Pnlaml32.exe166⤵PID:5668
-
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe167⤵
- Modifies registry class
PID:5748 -
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe168⤵PID:5864
-
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe169⤵
- Drops file in System32 directory
- Modifies registry class
PID:6012 -
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe170⤵PID:6096
-
C:\Windows\SysWOW64\Pdifoehl.exeC:\Windows\system32\Pdifoehl.exe171⤵PID:5168
-
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5388 -
C:\Windows\SysWOW64\Pqpgdfnp.exeC:\Windows\system32\Pqpgdfnp.exe173⤵
- Modifies registry class
PID:5564 -
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe174⤵PID:5724
-
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe175⤵
- Modifies registry class
PID:5920 -
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe176⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6028 -
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe177⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5316 -
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5516 -
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe179⤵PID:5788
-
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe180⤵PID:5968
-
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe181⤵PID:5484
-
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe182⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5856 -
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe183⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5336 -
C:\Windows\SysWOW64\Qjoankoi.exeC:\Windows\system32\Qjoankoi.exe184⤵
- Modifies registry class
PID:5924 -
C:\Windows\SysWOW64\Qddfkd32.exeC:\Windows\system32\Qddfkd32.exe185⤵
- Drops file in System32 directory
PID:6140 -
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6152 -
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe187⤵PID:6196
-
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe188⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6240 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe189⤵PID:6284
-
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe190⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6328 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe191⤵PID:6372
-
C:\Windows\SysWOW64\Agglboim.exeC:\Windows\system32\Agglboim.exe192⤵
- Drops file in System32 directory
- Modifies registry class
PID:6416 -
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6460 -
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6504 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe195⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6548 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe196⤵PID:6592
-
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe197⤵PID:6632
-
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe198⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6676 -
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe199⤵PID:6716
-
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe200⤵PID:6764
-
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe201⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6804 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe202⤵
- Drops file in System32 directory
PID:6848 -
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe203⤵
- Drops file in System32 directory
PID:6892 -
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe204⤵PID:6932
-
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe205⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6976 -
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe206⤵
- Modifies registry class
PID:7016 -
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe207⤵PID:7072
-
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe208⤵PID:7108
-
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe209⤵
- Drops file in System32 directory
PID:7152 -
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe210⤵PID:6184
-
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6252 -
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe212⤵PID:6336
-
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6400 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6456 -
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe215⤵PID:6536
-
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe216⤵PID:6600
-
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe217⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6668 -
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe218⤵PID:6728
-
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe219⤵PID:6800
-
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6876 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6944 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe222⤵PID:7000
-
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe223⤵PID:7100
-
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7164 -
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe225⤵PID:6248
-
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6348 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe227⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6424 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6584 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe229⤵PID:6640
-
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe230⤵PID:6772
-
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe231⤵PID:6880
-
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe232⤵PID:6996
-
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe233⤵PID:7148
-
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6220 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe235⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6444 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe236⤵PID:6616
-
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe237⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6792 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe238⤵
- Modifies registry class
PID:7008 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe239⤵PID:6236
-
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe240⤵
- Modifies registry class
PID:6452 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe241⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6724 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe242⤵PID:7024